patchinfo.20260122121240008027.93181000773252/_patchinfo

@@ -0,0 +1,72 @@
+<patchinfo>
+  <issue tracker="cve" id="2025-58058"/>
+  <issue tracker="cve" id="2025-47911"/>
+  <issue tracker="cve" id="2025-58190"/>
+  <issue tracker="bnc" id="1251399">VUL-0: CVE-2025-47911: sbctl: golang.org/x/net/html: various algorithms with quadratic complexity when parsing HTML documents</issue>
+  <issue tracker="bnc" id="1251609">VUL-0: CVE-2025-58190: sbctl: golang.org/x/net/html: excessive memory consumption by `html.ParseFragment` when processing specially crafted input</issue>
+  <issue tracker="bnc" id="1248949">VUL-0: CVE-2025-58058: sbctl: github.com/ulikunitz/xz: github.com/ulikunitz/xz leaks memory</issue>
+  <packager>jubalh</packager>
+  <rating>moderate</rating>
+  <category>security</category>
+  <summary>Security update for sbctl</summary>
+  <description>This update for sbctl fixes the following issues:
+
+Changes in sbctl:
+
+- Upgrade the embedded golang.org/x/net to 0.46.0
+  * Fixes: bsc#1251399, CVE-2025-47911: various algorithms with
+    quadratic complexity when parsing HTML documents
+  * Fixes: bsc#1251609, CVE-2025-58190: excessive memory consumption
+    by 'html.ParseFragment' when processing specially crafted input
+
+- Update to version 0.18:
+  * logging: fixup new go vet warning
+  * workflows: add cc for cross compile
+  * workflow: add sudo to apt
+  * workflow: add pcsclite to ci
+  * workflow: try enable cgo
+  * go.mod: update golang.org/x/ dependencies
+  * fix: avoid adding bogus Country attribute to subject DNs
+  * sbctl: only store file if we did actually sign the file
+  * installkernel: add post install hook for Debian's traditional installkernel
+  * CI: missing libpcsclite pkg
+  * workflows: add missing depends and new pattern keyword
+  * Add yubikey example for create keys to the README
+  * Initial yubikey backend keytype support
+  * verify: ensure we pass args in correct order
+
+- bsc#1248949 (CVE-2025-58058):
+  Bump xz to 0.5.14
+
+- Update to version 0.17:
+  * Ensure we don't wrongly compare input/output files when signing
+  * Added --json supprt to sbctl verify
+  * Ensure sbctl setup with no arguments returns a helpful output
+  * Import latest Microsoft keys for KEK and db databases
+  * Ensure we print the path of the file when encountering an invalid PE file
+  * Misc fixups in tests
+  * Misc typo fixes in prints
+
+- Update to version 0.16:
+  * Ensure sbctl reads --config even if /etc/sbctl/sbctl.conf is
+    present
+  * Fixed a bug where sbctl would abort if the TPM eventlog
+    contains the same byte multiple times
+  * Fixed a landlock bug where enroll-keys --export did not work
+  * Fixed a bug where an ESP mounted to multiple paths would not be
+    detected
+  * Exporting keys without efivars present work again
+  * sbctl sign will now use the saved output path if the signed
+    file is enrolled
+  * enroll-keys --append will now work without --force.
+- Updates from version 0.15.4:
+  * Fixed an issue where sign-all did not report a non-zero exit
+    code when something failed
+  * Fixed and issue where we couldn't write to a file with landlock
+  * Fixed an issue where --json would print the human readable
+    output and the json
+  * Fixes landlock for UKI/bundles by disabling the sandbox feature
+  * Some doc fixups that mentioned /usr/share/
+</description>
+  <package>sbctl</package>
+</patchinfo>